Yes, it is possible to use the PKCE (Proof Key for Code Exchange) flow for integrating with a social provider, and you can pass the

code_verifier

to the token exchange endpoint. Here's a general outline of how you can do it: 1. Generate a code verifier and a code challenge. The code verifier is a cryptographically random string. The code challenge is derived from the code verifier. In the examples provided, a function

generatePKCES256()

is used to generate these values.

javascript const { codeChallenge, codeVerifier } = await generatePKCES256()

[Source](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#perform-pkce) 2. Construct the authorization URL with the required parameters, including the

code_challenge

and

code_challenge_method

. Redirect the user to this URL to start the authorization flow.

javascript const authorizationUrl = `https://$<http://PROJECT_SLUG.projects.oryapis.com/oauth2/auth?response_type=code&client_id=${clientId}&redirect_uri=${redirectUri}&code_challenge=${codeChallenge}&code_challenge_method=S256|PROJECT_SLUG.projects.oryapis.com/oauth2/auth?response_type=code&client_id=${clientId}&redirect_uri=${redirectUri}&code_challenge=${codeChallenge}&code_challenge_method=S256>` window.location = authorizationUrl

[Source](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#spa-and-public-client-with-pkce) 3. After the user has granted permission, you will receive an authorization code. You can exchange this code for an access token at the token exchange endpoint. Include the

code_verifier

in this request to validate the authorization code and prevent code injection attacks.

javascript const code = "authorization_code_received_from_auth_server" const tokenUrl = "https://$<http://PROJECT_SLUG.projects.oryapis.com/oauth2/token|PROJECT_SLUG.projects.oryapis.com/oauth2/token>" const requestBody = `grant_type=authorization_code&client_id=${clientId}&code_verifier=${codeVerifier}&code=${code}`  fetch(tokenUrl, {   method: "POST",   headers: { "Content-Type": "application/x-www-form-urlencoded" },   body: requestBody, })   .then((data) => console.log(data))   .catch((error) => console.error(error))

[Source](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#exchange-code-for-token-1) Please note that the actual implementation may vary depending on the specific requirements of the social provider you are integrating with. Always refer to the provider's documentation for the most accurate information.

@chilly-king-10285 does kratos support enabling pkcs for openid social providers?

I'm sorry, but based on the provided knowledge sources, there is no specific information available about Ory Kratos supporting PKCE (Proof Key for Code Exchange) for OpenID social providers. Ory Kratos does support various social sign-in providers like GitHub, Apple, GitLab, Google, Facebook, Ory OAuth2 & OpenID Connect (Ory Hydra), Keycloak, and every other OpenID Connect Certified Provider. However, the specifics of PKCE implementation are not mentioned in the provided sources. For the most accurate and detailed information, I would recommend checking the official Ory Kratos documentation or reaching out to the Ory community for support.